|
|
df4535 |
From 4243bd97f3c703a75e795fdc6dd2273a7c74e85c Mon Sep 17 00:00:00 2001
|
|
|
df4535 |
From: Phil Sutter <phil@nwl.cc>
|
|
|
df4535 |
Date: Fri, 11 Feb 2022 17:47:22 +0100
|
|
|
df4535 |
Subject: [PATCH] Improve error messages for unsupported extensions
|
|
|
df4535 |
|
|
|
df4535 |
If a given extension was not supported by the kernel, iptables would
|
|
|
df4535 |
print a rather confusing error message if extension parameters were
|
|
|
df4535 |
given:
|
|
|
df4535 |
|
|
|
df4535 |
| # rm /lib/modules/$(uname -r)/kernel/net/netfilter/xt_LOG.ko
|
|
|
df4535 |
| # iptables -A FORWARD -j LOG --log-prefix foo
|
|
|
df4535 |
| iptables v1.8.7 (legacy): unknown option "--log-prefix"
|
|
|
df4535 |
|
|
|
df4535 |
Avoid this by pretending extension revision 0 is always supported. It is
|
|
|
df4535 |
the same hack as used to successfully print extension help texts as
|
|
|
df4535 |
unprivileged user, extended to all error codes to serve privileged ones
|
|
|
df4535 |
as well.
|
|
|
df4535 |
|
|
|
df4535 |
In addition, print a warning if kernel rejected revision 0 and it's not
|
|
|
df4535 |
a permissions problem. This helps users find out which extension in a
|
|
|
df4535 |
rule the kernel didn't like.
|
|
|
df4535 |
|
|
|
df4535 |
Finally, the above commands result in these messages:
|
|
|
df4535 |
|
|
|
df4535 |
| Warning: Extension LOG revision 0 not supported, missing kernel module?
|
|
|
df4535 |
| iptables: No chain/target/match by that name.
|
|
|
df4535 |
|
|
|
df4535 |
Or, for iptables-nft:
|
|
|
df4535 |
|
|
|
df4535 |
| Warning: Extension LOG revision 0 not supported, missing kernel module?
|
|
|
df4535 |
| iptables v1.8.7 (nf_tables): RULE_APPEND failed (No such file or directory): rule in chain FORWARD
|
|
|
df4535 |
|
|
|
df4535 |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
df4535 |
(cherry picked from commit 17534cb18ed0a5052dc45c117401251359dba6aa)
|
|
|
df4535 |
---
|
|
|
df4535 |
iptables/nft.c | 12 +++++++++---
|
|
|
df4535 |
libxtables/xtables.c | 7 ++++++-
|
|
|
df4535 |
2 files changed, 15 insertions(+), 4 deletions(-)
|
|
|
df4535 |
|
|
|
df4535 |
diff --git a/iptables/nft.c b/iptables/nft.c
|
|
|
df4535 |
index c5cc6f83bf573..9643abf2d0085 100644
|
|
|
df4535 |
--- a/iptables/nft.c
|
|
|
df4535 |
+++ b/iptables/nft.c
|
|
|
df4535 |
@@ -3110,10 +3110,16 @@ int nft_compatible_revision(const char *name, uint8_t rev, int opt)
|
|
|
df4535 |
err:
|
|
|
df4535 |
mnl_socket_close(nl);
|
|
|
df4535 |
|
|
|
df4535 |
- /* pretend revision 0 is valid if not permitted to check -
|
|
|
df4535 |
- * this is required for printing extension help texts as user */
|
|
|
df4535 |
- if (ret < 0 && errno == EPERM && rev == 0)
|
|
|
df4535 |
+ /* pretend revision 0 is valid -
|
|
|
df4535 |
+ * this is required for printing extension help texts as user, also
|
|
|
df4535 |
+ * helps error messaging on unavailable kernel extension */
|
|
|
df4535 |
+ if (ret < 0 && rev == 0) {
|
|
|
df4535 |
+ if (errno != EPERM)
|
|
|
df4535 |
+ fprintf(stderr,
|
|
|
df4535 |
+ "Warning: Extension %s revision 0 not supported, missing kernel module?\n",
|
|
|
df4535 |
+ name);
|
|
|
df4535 |
return 1;
|
|
|
df4535 |
+ }
|
|
|
df4535 |
|
|
|
df4535 |
return ret < 0 ? 0 : 1;
|
|
|
df4535 |
}
|
|
|
df4535 |
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
|
|
|
df4535 |
index 57ad0330a454c..a5c8d7e2c17ef 100644
|
|
|
df4535 |
--- a/libxtables/xtables.c
|
|
|
df4535 |
+++ b/libxtables/xtables.c
|
|
|
df4535 |
@@ -968,7 +968,12 @@ int xtables_compatible_revision(const char *name, uint8_t revision, int opt)
|
|
|
df4535 |
/* Definitely don't support this? */
|
|
|
df4535 |
if (errno == ENOENT || errno == EPROTONOSUPPORT) {
|
|
|
df4535 |
close(sockfd);
|
|
|
df4535 |
- return 0;
|
|
|
df4535 |
+ /* Pretend revision 0 support for better error messaging */
|
|
|
df4535 |
+ if (revision == 0)
|
|
|
df4535 |
+ fprintf(stderr,
|
|
|
df4535 |
+ "Warning: Extension %s revision 0 not supported, missing kernel module?\n",
|
|
|
df4535 |
+ name);
|
|
|
df4535 |
+ return (revision == 0);
|
|
|
df4535 |
} else if (errno == ENOPROTOOPT) {
|
|
|
df4535 |
close(sockfd);
|
|
|
df4535 |
/* Assume only revision 0 support (old kernel) */
|
|
|
df4535 |
--
|
|
|
df4535 |
2.34.1
|
|
|
df4535 |
|